Polymorphic Protector

02.23.2007 - 3:35 PM
Among the large amount of malwares we view, we have seen a few this week that were heavily obfuscated by some sort of "polymorphic packer." Interestingly, unlike the results of most packers/protectors, the application code wasn't just decrypted and executed from a section, but rather was executed onto the heap. The applications were apparently compiled in Visual C++ and didn't have any position-independent code. (The code needs to be loaded at a given address; otherwise, it won't be able to execute correctly.) It seems that this obfuscating tool requir...
Read more »

It’s good to be an information miser

02.13.2007 - 5:00 PM
Why bad guys get paid more to socialize with a prospect victim Kevin Mitnick, the famous computer criminal who is now a security consultant, has attributed many of his successes at breaking into systems to his ability to trick people into giving up their passwords. He coined the term "social engineering" and noted that it is much easier to trick someone into giving up sensitive information than it is to hack into a system using technical skills. Hmm, let’s see. I could crack SHA-1 in 5.9029581035870 x 10^20 attempts, or . . . I can just talk to you about beer and ice hockey while I stand over your shoulder and watch you type your password. Tough call. The surge in popularity of "Web 2.0" websites has shown that, among other things, people place a higher importance on cool new widgets and ease-of-use than on security (security is an afterthought -- oh yeah, it’d be nice to be safe too). The very definition of Web 2.0, from the person who coined the term (Tim O’Reilly), does not describe any security implications. Pretending to be someone else is popular Here at Websense, we’re constantly on the lookout for emerging threats on the web -- a subset of which are Phishing attacks. The irony of the Web 2.0 trend is the increased emphasis on aesthetics, the look and feel of a site, when aesthetics is th...
Read more »

Chinese alliance against Google spreading malicious code

02.13.2007 - 11:41 AM
Our "ThreatSeeker" process recently discovered an interesting website that attempts to exploit un-patched Internet Explorer users who have the Chinese language pack installed. Assuming users are not running the latest version of I.E. they will be exploited with code that utilized the MS06-14 "MDAC" vulnerability. Upon visiting the site a Trojan Downloader connects to another site which downloads and installs a file called md5.exe. This file is run as "chenzi.exe". This filename has been used in the past by infected websites within the Chinese domain/IP sp...
Read more »

Defacing -> A Malicious Trifecta

02.12.2007 - 8:01 AM
Recently we have been doing more researching into defaced Websites and we are seeing an increase in the use of sites that have been defaced for other nefarious purposes. We are going to have a more thorough report on the general subject soon on our blog, but until then we though we would show an example of a recent one. A CRM & customer service site was recently compromised (it has since been cleansed). The site was defaced by a group that goes by the name of "The Black Scorp!on Team". Unlike defaced attacks in the past, which simply replace the main homepage of the site for political, hacktivist, or ot...
Read more »

Dolphin Stadium Malware Analysis

02.10.2007 - 10:32 AM
Last Friday, we discovered malicious code on the official website of Dolphin Stadium. A malicious attacker had successfully compromised the site, placing a link to a malicious javascript file in the front-page header of the site. Visitors to the site execute the script, which attempts to exploit two vulnerabilities: MS06-014 and MS07-004. If either of these exploit attempts are successful, the computer becomes infected with a malicious file. This post is going to focus on those downloaded malicious files. Last Friday’s Alert:http://www.websense.com/securitylabs/alerts/alert.php?AlertID=733 The first dow...
Read more »

Bot War?

02.05.2007 - 2:00 PM
On January 31 we witnessed a large amount of stock "pump and dump" lures that attempt to lure visitors into buying a penny stock. Around the same time, we also discovered there were postings on newsgroups and websites with the same information (see screenshots). OK, nothing new there. We have seen this happening a lot recently. Email screenshot: Web screenshot: <...
Read more »